Admin

Recently, I came across an issue. I wanted to transfer some information from place to place, and have access to it, and make sure that no one else had access to it.

So, why not set up an encrypted USB device?

The cryptsetup package in Ubuntu, which provides a command-line interface for configuring encrypted devices, along with the dm-crypt device-mapper target, which allows for transparent encryption of block devices using the new Linux 2.6 kernel’s cryptoapi, when combined with Linux Unified Key Setup, a USB device and a little inginuity, provide the key. And without the key specified in the setup of the encrypted device, there is no access to the data. Just what I like! So, how does one go about this seemingly-quite-complicated-and-may-take-several-tries-before-getting-it-right setup? Here’s how:

1. First things first – acquire a USB drive. I use a 4GB Lexar Firefly. It’s white.

PLEASE NOTE: If you have ANY data on the drive that you want to keep, make a backup of it right now. Where we’re going, we don’t need data. Yet.

I have it partitioned as follows (you may not need this much stuff):

$ sudo fdisk -l /dev/sda

Disk /dev/sda: 4059 MB, 4059561984 bytes
125 heads, 62 sectors/track, 1023 cylinders
Units = cylinders of 7750 * 512 = 3968000 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 190 736219 6 FAT16
/dev/sda2 191 320 503750 83 Linux
/dev/sda3 321 450 503750 83 Linux
/dev/sda4 451 1023 2220375 5 Extended
/dev/sda5 451 452 7719 83 Linux
/dev/sda6 453 1023 2212594 6 FAT16

To partition the drive, you can use fdisk, or gparted, or what you are comfortable with. This isn’t a tutorial for that, though, so I won’t go into more details than I have at this point. Basically, though, we need at least two partitions: One for the encrypted section, and one for regular use.

In case you are wondering why you wouldn’t want to encrypt the whole thing, read on. You don’t want to have to type your password in every time you plug it in. You want to be able to put the new driver that you downloaded on your cable internet on your Grandma’s computer so you don’t have to wait 3 hours for it to download over dialup. Your wife asks you to get the updated budget off of her computer, and you haven’t convinced her that Linux RULES! yet. I can go on for hours, but it comes down to this: If the whole thing is encrypted, it negates the usefulness of the USB drive. That said, let’s continue.

2. Install the cryptsetup package on Ubuntu using the following command (or do this on your distro the appropriate way):

# sudo apt-get install cryptsetup

3. Reboot, or load the new dm-crypt module:

# sudo modprobe dm_crypt

4. Look at /etc/fstab and see whether or not there are any entries pertaining to the USB drive, as these will likely cause it to fail to mount. Make sure that both of the partitions on the USB drive are NOT MOUNTED!! use the mount command to list your mounted devices, and see if the appropriate block device is there. If it is, unmount it:

# umount /dev/sda1

5. Create the encrypted filesystems for secure storage on the FIRST partition you created:

# sudo luksformat -t ext2 /dev/sda1

6. Create the vfat partition for normal USB drive use on the SECOND partition. I have given the partition the name LEXAR:

# sudo mkfs.vfat -n LEXAR /dev/sda2

7. If Ubuntu decided in partitioning to remount the drive, unmount it. Remove the drive from the USB slot. Reinsert the USB drive, and voila! Ubuntu will prompt you for a password in order to mount your encrypted USB partition.

Now, you have a secure place to store sensitive information, such as SSH or PGP keys, password lists, pictures of your lovely wife, or anything else you come across. Now, you can feel free to restore the data that you backed up earlier.

/cs